On September 11, Kaspersky’s research team published a report showing attacks on South Korea’s think-tanks. This cyber-espionage campaign, named Kimsuky, seemed to only target 11 South Korean and 2 Chinese groups—some of these groups include: the Sejong Institute, KIDA (Korea Institute for Defense Analysis), South Korea’s Ministry of Unification, Hyundai Merchant Marine, and supporters of the Korean Unification.
The first instance of Kimsuky’s activity was on April 3, 2013 and the first Trojan samples were found on May 5, 2013. This virus is special in that it’s pretty unsophisticated and communicated with its master using a public email server. Apparently, this is commonplace with amateur virus coders and is usually ignored. What caught the attention of the researchers was that Kimsuky used a Bulgarian email server and the code contains Hangul (Korean characters), which actually translate to “attack” and “completion.”
Because Kimsuky is highly limited and targeted, it is uncertain how it is being distributed. The early Trojan samples collected were delivered by spear-phishing emails. These emails have been traced to “kim” names and 10 IP addresses. These IP addresses connect this virus to the Jilin and Liaoning Network Province in China. Interestingly enough, there are lines in these provinces that connect to North Korea. Another interesting attribute of Kimsuky is that it disables the security tools of a South Korean anti-malware company, AhnLab.
Looking at Kimsuky’s targets and the source of the IP addresses, it seems as though the source of the malware is North Korea. Though, Kaspersky researchers say that “it is not that hard to enter arbitrary registration information and misdirect investigators to an obvious North Korean origin.” In the end, there is no clear cut evidence to point any fingers.
Luckily, the code is, as previously mentioned, simple—Kaspersky products are able to detect and neutralize various Kimsuky threats.